A hacker was able to break into the database of RockYou, which provides applications and services for social networking sites like Facebook and MySpace, and obtain 32 million clear-text passwords through an SQL vulnerability. He was able to steal the information because users’ email addresses and passwords were stored in clear text, meaning they were not rendered unreadable through encryption or any other methods. If you happen to use the same email address and password on any other sites, consider them hacked as well.
This might be a good time to review not only which websites you currently use, but web sites where you still have logins but don’t use any more. Most web sites don’t have any way to unregister or delete your account so even though you aren’t using them you still need to ensure that they are secure, or at least do not use UserIDs and passwords which you use on any other site.
Now that the horse has left the barn, RockYou has found religion and is encrypting all passwords and reviewing their current data security features to ensure that they meet industry standards and best practices. Whoopee.
Meanwhile, your password may be toast if you use any of these applications:
- Facebook: superwall, pieces of hair, speedracing, likeness, hugme, birthdaycards
- Myspace: slideshow, uploadphoto, photofx, glittertext, funnotes, countdown, superhug, myspace layouts, stickers
- HI5, Friendster, Orkut, and Bebo users are also at risk
What Did We Learn From This?
Use different user names and/or passwords for every web site on which you have an account. If you have problems remembering user names and passwords, there are dozens of password tracking programs available. Personally I use SplashID which runs on Mac, PC, and iPhone as well as other smart phones. Your information is encrypted and safe as long as your master password doesn’t get out. And one way to guarantee that is to use a password that you can remember, that has nothing to do with your personal life (mom’s maiden name, you wife’s birthday, or your dogs nickname are all no-no’s), and is not used anywhere else.
SplashID will generate random passwords for you which you can copy and paste into the web site. Since you use a different password on every site, the theft of your user name or password from one site will not compromise any other sites.
The Final Word
If you are a business with data ‘in the cloud’ you should have asked your provider about their security practices, what information is encrypted and how it is encrypted, and finally how often they change encryption keys. Meanwhile, if you have accounts on any of the sites listed above, you should spend your weekend changing passwords on any account which is using the same one. And don’t make them the same again or you are still vulnerable to the next hack.
Ron LaPedis, MBCP, MBCI, CISSP-ISSAP, ISSMP
Founder and Principal
Seacliff Partners International, LLC
